Our web app needs to be made PCI compliant, i.e. it must not store any credit card numbers. The app is a frontend to a mainframe system which handles the CC numbers internally and - as we have just found out - occasionally still spits out a full CC number on one of its response screens. By default, the whole content of these responses are logged at debug level, and also the content parsed from these can be logged in lots of different places. So I can't hunt down the source of such data leaks. I must make sure that CC numbers are masked in our log files.

The regex part is not an issue, I will reuse the regex we already use in several other places. However I just can't find any good source on how to alter a part of a log message with Log4J. Filters seem to be much more limited, only able to decide whether to log a particular event or not, but can't alter the content of the message. I also found the ESAPI security wrapper API for Log4J which at first sight promises to do what I want. However, apparently I would need to replace all the loggers in the code with the ESAPI logger class - a pain in the butt. I would prefer a more transparent solution.

PCI DSS 3.0 Allow to show the BIN and the Last four at maximum. When you have large traffic is better to mask using those maximum allowed parameters. This can be done by changing this two lines. private static final String MASK = "$1++++++$3";private static final Pattern PATTERN = Pattern.compile("([0-9]{6})([0-9]{6,10})([0-9]{4})");
–
NeoecosOct 22 '14 at 17:26

You could make your new layout a composite of the existing one you are using: Delegate anything that doesn't match your regular expression to it, and then remove or star out the line containing the credit card number
–
James BMar 17 '10 at 11:44

Thanks, this seems to be viable. Although I would prefer subclassing over aggregation in this case. Let's experiment with it a bit...
–
Péter TörökMar 17 '10 at 13:55

Well, better is relative :-) In this case I don't want to log the issuer neither the checksum. I am not really interested in the concrete card number at all - we don't need to search for them in the logs or anything. That's why I don't care about false positives either. The only point is that no full card number shall get into the logs ever. But I agree that in other cases, Adam's solution may be better.
–
Péter TörökMar 23 '12 at 8:47